CVE-2020-7750

CRITICAL

scratch-svg-renderer < 0.2.0-prerelease.20201019174008 - Cross-Site Scripting via SVG Injection in loadString

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7750. PoCs published by Stig Magnus Baugstø.

AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in Scratch Desktop <3.17.1 via a malicious SVG file lacking a viewBox attribute, which can trigger arbitrary JavaScript execution. On Electron-based Scratch Desktop, this escalates to RCE by leveraging Electron APIs to execute system commands.

Description

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

Exploits (1)

exploitdb WORKING POC
by Stig Magnus Baugstø · textwebappsmultiple
https://www.exploit-db.com/exploits/50079

This exploit demonstrates an XSS vulnerability in Scratch Desktop <3.17.1 via a malicious SVG file lacking a viewBox attribute, which can trigger arbitrary JavaScript execution. On Electron-based Scratch Desktop, this escalates to RCE by leveraging Electron APIs to execute system commands.

Classification
Working Poc 90%
Attack Type
Xss | Rce
Complexity
Trivial
Reliability
Reliable
Target: Scratch Desktop <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
No auth needed
Prerequisites: Ability to upload a malicious SVG file to a Scratch project or as a sprite
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.6
EPSS 0.0618
EPSS Percentile 91.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (2)
mit/scratch-svg-renderer 0.1.0 (24 CPE variants)
mit/scratch-svg-renderer 0.2.0 prerelease20180605154326 (26 CPE variants)
Published Oct 21, 2020
Tracked Since Feb 18, 2026